Security management device and method

ABSTRACT

In a case where a master virtual machine, which is constructed on the basis of master information for configuring either part or all of a virtual machine, and an individual virtual machine, which is constructed on the basis of individual information that is configured partially or entirely in accordance with the master information, exist as the types of virtual machines that a physical client provides to a user terminal, a security check of a plurality of virtual machines is selectively executed, with respect to each check item, for a virtual machine of the type corresponding to the contents of the check item.

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS

This application is a Continuation of U.S. application Ser. No.13/668,637, filed Nov. 5, 2012, incorporated herein by reference in itsentirety, which is a Continuation of U.S. application Ser. No.12/521,540, now U.S. Pat. No. 8,321,863, (National Stage ofPCT/JP2009/054827), filed Jun. 26, 2009, incorporated herein byreference in its entirety.

TECHNICAL FIELD

The present invention relates to a security management device andmethod, and more particularly preferably suits to a security managementserver for executing a security check for a plurality of virtual clientsin a network system in which the plurality of virtual clients have acommon configuration.

BACKGROUND ART

With enactment of the SOX Act, companies are being required tostrengthen security measures to bring their operations into compliancewith this law. Security management has become important even for theclient terminals used by individuals in a company, and there is anincreasing need for constant awareness and monitoring of the latestsecurity situation regarding client terminals (simply referred to asclient hereinafter) connected to a network.

Conventional techniques for meeting this need, for example, include amethod for auditing the security situation of a network-connected clientdisclosed in Patent Document 1. Also, software for checking whether ornot the assets (installed software and patches) of each client connectedto a network are secure, totaling the results of the check and notifyingthe administrator have been released by various vendors.

Meanwhile, from the standpoint of reducing TCO and improving operationsmanagement, virtualization technology, which uses software to emulate acomputer, thereby providing a virtual computer environment, that is, avirtual machine, has come into widespread use. Utilizing virtualizationtechnology makes it possible to share a machine image of a virtualmachine between a plurality of virtual machines. In accordance withthis, only the difference data between the shared machine images needsto be managed for each virtual machine.

Virtualization technology such as this, for example, is disclosed inPatent Document 1 and Japanese Patent Application Laid-open No.2006-221649 (called Patent Document 2 hereinafter), and, various vendorshave also released products that make use of this virtualizationtechnology, such as Linked Clone technology by VMware (registeredtrademark) (refer to the VMware (registered trademark) View 3 brochureat http://www.vmware.com/files/pdf/view_brochure.pdf (called Non-PatentDocument 1 hereinafter)), and FlexClone (registered trademark)technology by NetApp (registered trademark) (refer to the NetApp(registered trademark) FlexClone (registered trademark) Datasheet athttp://media.netapp.com/documents/ds-2837-0808-flexclone.pdf (referredto as Non-Patent Document 2 hereinafter)). Further, technology formigrating a virtual machine from one physical machine to anotherphysical machine, for example, has also been disclosed in JapanesePatent Application Laid-open No. 2007-66265.

In a large-scale network environment, the number of clients targeted bya security check is enormous, and therefore carrying out a securitycheck of all the clients requires a long period of time, making itdifficult to grasp the latest security situation of each client.

Further, the increase in the number of virtual machines in line with thespread of virtualization technology in recent years is expected tosignificantly increase the number of management-targeted clients, mostlikely making it increasingly difficult in the future to discern thelatest security situation of each virtual machine in a large-scalenetwork environment. For this reason, security checks of networkenvironments like this will have to be carried out faster.

DISCLOSURE OF THE INVENTION

With the foregoing in view, an object of the present invention is topropose a security management device and method that makes it possibleto carry out a security check faster and more efficiently.

To solve this problem, in the present invention, a security managementdevice for managing the security of a plurality of virtual machines,which is a virtual computer environment that a physical client providesto a user terminal, comprises a storage device for storing a checkpolicy, which prescribes either one or a plurality of check itemsrelated to a security check for the above-mentioned plurality of virtualmachines, and a security check program; and a CPU (Central ProcessingUnit) for executing, on the basis of the above-mentioned security checkprogram, a security check for the above-mentioned plurality of virtualmachines in accordance with the above-mentioned check policy, theabove-mentioned virtual machines including as types a master virtualmachine, which is constructed on the basis of master information forconfiguring either a part or all of a virtual machine, and an individualvirtual machine, which is constructed on the basis of individualinformation that is configured partially or entirely in accordance withthe above-mentioned master information, and the above-mentioned CPUselectively executing the security check, for each of theabove-mentioned check items, for the type of the virtual machine inaccordance with contents of the check items.

Further, in the present invention, a security management method formanaging the security of a plurality of virtual machines, which is avirtual computer environment that a physical client provides to a userterminal, comprises a first step for storing a check policy, whichprescribes either one or a plurality of check items related to asecurity check for the above-mentioned plurality of virtual machines,and a security check program; and a second step for executing, on thebasis of the above-mentioned security check program, a security checkfor the above-mentioned plurality of virtual machines in accordance withthe above-mentioned check policy, the above-mentioned virtual machinesincluding as types a master virtual machine, which is constructed on thebasis of master information for configuring either a part or all of avirtual machine, and an individual virtual machine, which is constructedon the basis of individual information that is configured partially orentirely in accordance with the above-mentioned master information, andthe above-mentioned second step selectively executing, for each of theabove-mentioned check items, the above-mentioned security check for theabove-mentioned virtual machine of the type corresponding to thecontents of this check item.

According to the present invention, it is possible to selectivelyexecute a security check for each check item for a required type ofvirtual machine, thereby enabling the omission of a security check for atype that is not required. In this way, it is possible to realize asecurity management system and method that enable a security check to becarried out faster and more efficiently.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing the overall configuration of a networksystem according to a first embodiment;

FIG. 2 is a block diagram showing the simplified configuration of asecurity management server according to the first embodiment;

FIG. 3 is a table showing the configuration of a check policy managementtable according to the first embodiment;

FIG. 4 is a table showing the configuration of an individual VM/masterVM correspondence management table;

FIG. 5 is a table showing the configuration of a check result managementtable;

FIG. 6 is a table showing the configuration of a client managementtable;

FIG. 7 is a block diagram showing a simplified configuration of aphysical client according to the first embodiment;

FIG. 8 is a block diagram showing a simplified configuration of a VMmanagement server according to the first embodiment;

FIG. 9 is a table showing the configuration of a virtual machinemanagement table;

FIG. 10 is a table showing the configuration of a physical machinemanagement table;

FIG. 11 is a block diagram showing the logical configuration of thenetwork system according to the first embodiment;

FIG. 12 is a PAD diagram showing the processing steps of a securitymanagement control process according to the first embodiment;

FIG. 13 is a PAD diagram showing the processing steps of a settingprocess according to the first embodiment;

FIG. 14 is a simplified diagram showing an example of the configurationof the check policy setting window of the first embodiment;

FIG. 15 is a simplified diagram showing an example of the configurationof the setting window corresponding to individual VM/master VM of thefirst embodiment;

FIG. 16 is a PAD diagram showing the processing steps of the securitycheck process of the first embodiment;

FIG. 17 is a PAD diagram showing the processing steps of a VMinformation collection process;

FIG. 18 is a diagram showing an example of the working of the firstembodiment;

FIG. 19 is a block diagram showing the overall configuration of anetwork system of a second embodiment;

FIG. 20 is a block diagram showing the configuration of a physicalclient according to the second embodiment;

FIG. 21 is a diagram showing the logical configuration of the networksystem according to the second embodiment;

FIG. 22 is a table showing the configuration of a check managementpolicy table according to the second embodiment;

FIG. 23 is a PAD diagram showing the processing steps of the securitycheck process of the second embodiment;

FIG. 24 is a block diagram showing the overall configuration of anetwork system of a third embodiment;

FIG. 25 is a block diagram showing the configuration of a securitymanagement server according to the third embodiment;

FIG. 26 is a block diagram showing the configuration of a VM managementserver according to the third embodiment;

FIG. 27 is a simplified diagram showing an example of the configurationof a check policy setting window according to the third embodiment;

FIG. 28 is a PAD diagram showing the processing steps of a securitymanagement control process of the third embodiment;

FIG. 29 is a PAD diagram showing the processing steps of a check targetsetting process according to the third embodiment;

FIG. 30 is a block diagram showing the overall configuration of anetwork system of a fourth embodiment;

FIG. 31 is a block diagram showing the configuration of a securitymanagement server according to the fourth embodiment;

FIG. 32 is a table showing the configuration of a check targetmanagement table; and

FIG. 33 is a PAD diagram showing the processing steps of a check targetsetting process of the fourth embodiment.

BEST MODE FOR CARRYING OUT THE INVENTION

One embodiment of the present invention will be explained by referringto the drawings.

Furthermore, in the explanation below, the information of the presentinvention will be explained using expressions such as “x×x table”, “xxxlist”, “xxx DB” and “xxx queue”, but this information may also beexpressed as data structures other than a table, list, DB or queue. Forthis reason, “x×x table”, “xxx list”, “xxx DB” and “xxx queue”, may alsobe called “xxx information” to show that the information is notdependent on the data structure.

In the explanation that follows, there may cases where an explanation isgiven having “program” as the subject, but because a process is carriedout by executing a program in accordance with a processor while usingmemory and a communication port (communication control device), theexplanation may also employ processor (CPU) as the subject. Further, aprocess disclosed having a program as the subject may also be carriedout by a management server or other such computer, or an informationprocessing system. Further, either a portion or all of a program may berealized in accordance with dedicated hardware.

Various types of programs may also be installed in the respectivecomputers in accordance with a program distribution server or storagemedia.

(1) First Embodiment

(1-1) Configuration of Network System According to this Embodiment

In FIG. 1, reference numeral 100 denotes an overall network systemaccording to this embodiment. In this network system 100, a securitymanagement server 101, a physical client group comprising first andsecond physical clients 102A, 102B, a VM (Virtual Machine) managementserver 103 and a user terminal 107 are interconnected via a network 105configured from either a LAN (Local Area Network) or a WAN (Wide AreaNetwork). Further, the first and second physical clients 102A, 102B areconnected to a storage device 104 via a SAN (Storage Area Network) 106.Furthermore, in this embodiment, for the sake of brevity, an explanationis given of a case in which the physical client group comprises only twounits, the first and second physical clients 102A, 102B, but the presentinvention is also applicable when three or more physical clients make upthe physical client group.

The security management server 101, for example, is configured from apersonal computer, a workstation, or a mainframe, and manages thesecurity status of respective virtual machines that run on the first andsecond physical clients 102A, 102B as explained hereinbelow.

The first and second physical clients 102A, 102B provide the userterminal 107 with a virtual machine (this virtual machine will be calleda virtual client hereinafter for convenience sake) that is used as aclient machine. Further, the VM management server 103 manages virtualclients that run on the first and second physical clients 102A, 102B.

The storage device 104 stores either one or a plurality of machine imageinformation 320, which is the configuration information (informationsuch as data stored in the CPU (Central Processing Unit), memory,communication device and storage device) of the respective virtualclients running on the first and second physical clients 102A, 102B, andthe various types of data used by a virtual client.

The user terminal 107 is a terminal device configured from an ordinaryindividual computer or thin client, and is used by an ordinary user toutilize virtual clients running on the first and second physical clients102A, 102B. The user terminal 107 is not targeted for securitymanagement in accordance with the security management method of thisembodiment.

Furthermore, the security management server 101 and the VM managementserver 103 may be configured from a single computer, and may also be thesame computer as the first and second physical clients 102A, 102B.Either part or all of the various programs and information held by thesecurity management server 101 may be disposed on one or more (aplurality of) computers, and a configuration may be adopted in which thesecurity management server 101 is realized by the plurality ofcomputers. Similarly, the configuration may be such that the VMmanagement server 103 is constructed from one or more (a plurality of)computers, and the first and second physical clients 102A, 102B areconstructed from one or more (a plurality of) computers.

Further, methods (a) and (b) below may be considered as methods forinputting/outputting commands and information to/from virtual machinesrunning on the first and second physical clients 102A, 102B, but methodsother than these may also be used.

(a) A method for providing virtual machines with input from aninput/output device, such as a display, keyboard and/or mouse of thefirst and second physical clients 102A, 102B, and outputting an outputof the virtual machine (for example, a display and sound) to thisinput/output device.

(b) A method for providing a virtual machine with input from aninput/output device, such as a display, keyboard and/or mouse, of acomputer other than the first and second physical clients 102A, 102B,and outputting an output of the virtual machine (for example, a displayand sound) to this input/output device.

(1-2) Security Management Server Configuration

FIG. 2 shows a specific configuration of the security management server101 of this embodiment. The security management server 101 comprises aCPU 201, a main memory 202, an instruction input device 203, a display204, an external storage device 205, and a communication controller 206,and these components are interconnected by way of a system bus 207.

The CPU 201 is a processor in charge of controlling the overalloperations of the security management server 101. Processing such asthat described hereinbelow is performed by the security managementserver 101 in accordance with this CPU 201 executing various programsstored in the main memory 202. Further, the main memory 202, in additionto being used for holding various types of programs and information, isalso utilized as the CPU 201 working memory.

The instruction input device 203 is for inputting a variety ofinstructions to the security management server 101, and is configuredfrom a keyboard and/or mouse. The display 204, for example, isconfigured from a liquid crystal panel or CRT (Cathode Ray Tube), and,under the control of the CPU 201, displays the status and results ofprocesses executed by the security management server 101.

The external storage device 205, for example, is a high-capacity storagemedium configured from a hard disk device, and is utilized for storingvarious types of programs and data. A program stored in the externalstorage device 205 is loaded into the main memory 202 in accordance witha program start command from the instruction input device 203, and isexecuted by the CPU 201. The communication controller 206 is used forexchanging various data and commands with the other devices connected tothe network 105 by way of this network 105.

Furthermore, the security management server 101 may have input-outputdevices other than the instruction input device 203 and display 204, andfurthermore, a computer other than the security management server 101may have this input-output device. In accordance with this, the securitymanagement server 101 may receive input from an input-output device ofthis computer, and may realize outputting to an input-output device ofthis computer in accordance with sending virtual client VM output (forexample, a display and/or sound) to this computer.

The principal programs stored in the external storage device 205 of thesecurity management server 101 in accordance with this embodiment willbe explained here.

In the case of this embodiment, the above-described security managementserver 101 manages the security of the respective virtual clientsrunning on the first and second physical clients 102A, 102B. As meansfor achieving this, programs such as a security management controlprogram 210, a setting program 211, a VM information collection program212, a security check program 213 and an OS 214 are stored in theexternal storage device 205 as shown in FIG. 2.

Of these programs, the security management control program 210 is forcontrolling the various programs of the security management server 101,and the setting program 211 is for carrying out various settings inaccordance with instructions from the user.

The VM information collection program 212 is for collecting virtualclient management information from the VM management server 103, andeither creating or updating a client management table 223 describedhereinbelow.

Furthermore, the security check program 213 is for carrying out securitychecks on the respective clients registered in the client managementtable 223. The OS 214 provides the basic functions, such as inputtingand outputting data to and from the peripheral devices, for executingthe respective programs on the computer.

Next, the principal information stored in the external storage device205 will be explained. But before doing so, the terminology “masterinformation”, “master VM”, “individual customized information” and“individual VM” will be defined first.

Hereinafter, the term “master information” shall refer to informationfor configuring a virtual machine, with the exception of theindividually customized portions in an environment of individual virtualmachines (virtual clients) and individual users. Information configuringa virtual machine refers to either a part or an entire machine image.Machine image refers to the various information required to start up avirtual machine, which comprises the specifications, numbers andcapacities of hardware, such as the virtual machine CPU, memory andcommunication controller, the BIOS settings, and a disk image forvirtual machine disk emulation. Furthermore, for a plurality of virtualmachines having the same master information, the master informationconstitutes the shared portions of the information configuring thevirtual machines.

“Master VM” refers to the virtual machine targeted when carrying out asecurity check of the master information.

“Individual customized information” refers to individually customizedportions of information in a case where a virtual machine isindividually customized on the bases of the master information. Forexample, this expression corresponds to information related to thecustomized desktop environment and user profiles of each user, andinformation regarding software individually installed in special-purposevirtual machines (virtual clients).

“Individual VM” refers to a virtual machine targeted when carrying out asecurity check of individual customized information.

Specific examples of “master information” and “individual customizedinformation” will be explained. For example, the machine image of avirtual machine A, which has been installed with a certain software A,is copied, and a virtual machine B having the same configuration as thisvirtual machine A, is created. Thereafter, when software B is installedin this virtual machine B, the machine image of virtual machine A, whichcomprises software A, is the master information, and the individuallycustomized portion in virtual machine B, which comprises software B,that is, the difference between the machine image of virtual machine Aand the machine image of virtual machine B is the individual customizedinformation.

As another example, in virtualization technology (for example, JapanesePatent Application Laid-open No. 2006-221649), which starts up aplurality of virtual machines on the basis of virtualmachine-configuring information that is shared by the plurality ofvirtual machines, and which individually manages the differenceinformation of each virtual machine, the “virtual machine configuringinformation shared by the plurality of virtual machines” corresponds tothe “master information”, and the “difference information of eachvirtual machine” corresponds to the individual customized information.

Returning to the explanation of the principal information stored in theexternal storage device 205 of the security management server 101, inthe case of this embodiment, as means for the security management server101 to manage the security of the respective virtual clients running onthe first and second physical clients 102A, 102B, as shown in FIG. 2, acheck policy management table 220, an individual VM/master VMcorrespondence management table 221, a check result management table222, and a client management table 223 are stored in the externalstorage device 205.

The check policy management table 220 is for managing the policy of asecurity check to be executed with respect to virtual clients running onthe first and second physical clients 102A, 102B, and, as will beexplained hereinbelow using FIGS. 13 and 14, is created by the settingprogram 211 in accordance with an administrator setting operationutilizing a check policy setting window 500 shown in FIG. 14.

This check policy management table 220, as shown in FIG. 3, isconfigured from an item-to-check column 220A, an ID column 220B, adetails column 220C, a check target column 220D, a priority column 220Eand a check period column 220F.

The item-to-check column 220A stores the names of items (called items tocheck hereinafter) for which security checks fixedly specifiedbeforehand are to be executed.

In the case of this embodiment, there are five such items to check: an“update program determination” for determining whether or not aprescribed update program is being used; an “anti-virus productdetermination” for determining whether or not an anti-virus product isinstalled; an “unauthorized software determination” for determiningwhether or not an installation-prohibited unauthorized software isinstalled; a “compulsory software determination” for determining whetheror not software that should always be installed is installed; and a“security settings determination” for determining whether or not thecorrect security settings have been made. However, the number andcontents of the items to check are not limited thereto.

The details column 220C stores detailed items regarding thecorresponding items to check. For example, in FIG. 3, the need forrespective checks to determine whether or not the check-targeted virtualmachines are using “patch A”, “patch B”, . . . is specified for the“update program”, and the need to check whether or not either version“1.0” of “virus checker A” defined on “2008/1/1” or version “1.0” of“virus checker B” defined on “2008/1/1” is installed is specified for“anti-virus product”.

Hereinafter, each detailed item to be subjected to a security checkwithin an item to check shall be called a check item. For example, eachcheck as to whether or not “patch A”, “patch B”, . . . are being usedwith respect to the item to check labeled “update program” correspondsto a check item. Further, each check as to whether or not version “2.0”of “software X”, all versions of “software Y”, . . . are respectivelyinstalled with respect to the item to check labeled “unauthorizedsoftware” corresponds to a check item. Furthermore, a check as towhether or not any of the anti-virus products cited in details column220C are installed with respect to the item to check labeled “anti-virusproduct” corresponds to one check item.

ID column 220B stores an ID that has been assigned to the correspondingcheck item. In FIG. 3, for example, the ID “C1-01” is assigned for thecheck item “patch A” of the item to check labeled “update program”, andthe ID “C1-02” is assigned for the check item “patch B” of the item tocheck labeled “update program”.

The check target column 220D stores the target for which a securitycheck is to be executed for the corresponding check item. Specifically,any of “master”, “individual”, “master or individual” and “master andindividual” is stored in the check target column 220D. “Master”signifies the fact that only the master VM needs to pass the check, and“individual” signifies the fact that only the individual VM needs topass the check. Further, “master or individual” signifies the fact thateither one of the master VM or the individual VM needs to pass thecheck, and “master and individual” signifies the fact that both themaster VM and the individual VM need to pass the check.

For example, in a case where a certain software is installed in themaster VM and distributed, since the software installed in the master VMis also installed in the individual VM, “master” is designated as thecheck target in the check item for determining the installation statusof this software. In a case where “master” is designated, a securitycheck is carried out only for the master VM for this check item, and theresult of this check is used as the check result for all the individualVM associated to this master VM rather than just for this master VMalone.

“Individual” is set as the check target for a check item that determinesif the security settings have been illegally changed by an individualuser. In a case where “individual” is set, the security check for thischeck item is carried out only for an individual VM, and the checkresult thereof is used as the check result only for this individual VM.Furthermore, the master VM does not fall within the check target forthis check item.

The priority column 220E stores a priority that has been set for acorresponding check item. In the case of this embodiment, any of “high”,“medium” or “low” may be set as this priority. Furthermore, as long asthe value set as the priority represents the priority of the check item,other values may also be set.

Of these setting values, “high” signifies that, barring any problemssuch as a shortage of free system resources, the check should be carriedout as quickly as possible. “Medium” signifies that a check should bedone within the check period by starting up the relevant virtual clienton a free resource when the virtual client is not in use so as not tobother the user of the check-targeted virtual client.

As for “low”, a check should be carried out within the check period bystarting up the relevant virtual client on a free resource when thevirtual client is not in use the same as with “medium”, but in a casewhere there is concern that starting up the relevant virtual client willhave an adverse affect on the other virtual clients due to a shortage ofremaining free system resources, the check may be held back. In thisembodiment, in a case where the free system resource capacity is suchthat starting up the relevant virtual client will make it impossible tostart up another virtual client, a check is not carried out until thereis sufficient free resource capacity.

Furthermore, for any check item for which the priority has been set toeither “medium” or “low”, the security check shall be carried out asquickly as possible in a case where the check period describedhereinbelow has expired.

In the case of this embodiment, “high”, “medium” and “low” have theabove-mentioned meanings, but these values may have other meanings ifthey are the data for determining whether the check process for therelevant check item will be carried out immediately or will be carriedafterwards in accordance with the state of the system and the priorityvalue for each check item.

The check period column 220F stores a period (called the check periodhereinafter) during which a security check set for the correspondingcheck item is to be executed.

This check policy management table 220 is referenced when the securitycheck program 213 executes a security check for each virtual client.

The individual VM/master VM correspondence table 221 is for managing thecorresponding relationship between respective virtual clients(individual VM) and a virtual client (master VM) for checking the masterinformation of a relevant virtual client, and as will be explainedhereinbelow for FIGS. 13 and 15, respective entries are registered bythe setting program 211 in accordance with an administrator settingoperation using an individual VM/master VM correspondence setting window600 shown in FIG. 15. However, since the corresponding relationshipbetween individual VM and master VM is also managed in the VM managementserver 103, the setting program 211 may regularly acquire thisinformation from the VM management server 103, and may automaticallyupdate the individual VM/master VM correspondence management table 221.

This individual VM/master VM correspondence management table 221, asshown in FIG. 4, is configured from a individual VM column 221A and amaster VM column 221B. An ID (called the machine ID hereinafter)assigned to a corresponding virtual client is stored in the clone VMcolumn 221A, and a machine ID of a corresponding master VM is stored inthe master VM column 221B.

The check result management table 222 is for managing the result of asecurity check for an individual VM and a master VM, and, as shown inFIG. 5, is configured from a CID column 222A, a machine ID column 222Band a plurality of ID columns 222C.

The CID column 222A stores identification information (CID) assigned toa security check of this check period. The machine ID column 222B storesa machine ID of a corresponding virtual client for which a securitycheck has been carried out.

Furthermore, the respective ID columns 222C correspond to the IDsassigned to the above-mentioned respective check items in FIG. 3 (referto ID columns 220B), and the check results of security checks executedfor corresponding virtual clients at the time of the respectivecorresponding security checks are stored in these ID columns 222C.

For example, in FIG. 5, “◯” signifies that a virtual machine has passedthe security check related to the check item of the virtual machine forthe check period, “x” signifies that the virtual machine has failed thissecurity check, and “-” signifies that the virtual machine was nottargeted for this security check. Also, “pending” signifies that thesecurity check has yet to be carried out (unchecked). In FIG. 5, the rowenclosed within broken line 222D represents an example of the checkresults of a security check with respect to a master VM, and the areasenclosed within broken lines 222E, 222F and 222G represent results thatreflect the check results of the security check with respect to themaster VM for the individual VM as well.

A variety of methods may be used as the checking method of a securitycheck for a virtual client, to include an agent-less method, whichchecks the security status based on information collected using WMI(Windows (registered trademark) Management Instrumentation) or SSH(Secure Shell), and a method, which checks the security status byacquiring information from an agent running on the virtual client.Either method may be used in this embodiment.

The client management table 223 is for managing security check-targetedvirtual clients running on the first and second physical clients 102A,102B in the security management server 101, and virtual machinemanagement information read out from a virtual machine management table420 of the VM management server 103 is respectively stored therein.

This client management table 223 is substantially configured from amachine ID column 223A, an IP address column 223B, a correspondingphysical machine ID column 223C and a resource information column 223Das shown in FIG. 6.

The machine ID column 223A stores machine IDs respectively assigned tothe virtual clients and physical clients that exist in the system, andthe IP address column 223B stores IP addresses for accessing either thevirtual clients or the physical clients.

The corresponding physical machine ID column 223C stores identificationinformation (physical machine ID) that has been assigned to a physicalclient (either the first or second physical client 102A, 102B) on whichthe virtual client is running in a case where the corresponding virtualmachine is the virtual client.

The resource information column 223D is configured from a CPU column223DA, a memory column 223DB, and a disk column 223DC, and the CPUcolumn 223DA, memory column 223DB and disk column 223DC store theresource capacities, such as the CPU, memory, and disk that have beenrespectively allocated to either the corresponding virtual client orphysical client. However, this resource information column 223D may beomitted.

Furthermore, the above-mentioned check policy management table 220,individual VM/master VM correspondence management table 221, checkresult management table 222 and client management table 223 need notreside inside the external storage device 205 prior to program startupsince the program dynamically creates and updates these tables. Thesetables may be held in the main memory 202 from initialization withoutbeing stored in the external storage device 205.

(1-3) Physical Client Configuration

Next, the configurations of the first and second physical clients 102A,102B will be explained. Since the second physical client 102B has thesame configuration as the first physical client 102A, only theconfiguration of the first physical client 102A will be explained here,and an explanation of the configuration of the second physical client102B will be omitted.

FIG. 7 shows a simplified configuration of the first physical client102A. As shown in FIG. 7, the first physical client 102A is configuredby interconnecting a CPU 301, a main memory 302, an external storagedevice 303, a communication controller 304, and a host bus adapter (HBA)305 via a system bus 306.

The CPU 301 is a processor in charge of controlling the overalloperations of the first physical client 102A. Various types ofprocessing, such as providing a virtual client to a user terminal 107,is performed by the first physical client 102A in accordance with thisCPU 301 executing various programs that are stored in the main memory302. Further, the main memory 302, in addition to being used for holdingthese various programs and various types of information, is alsoutilized as the CPU 301 working memory.

The communication controller 304 comprises communication controlfunctions for exchanging various data and commands with the otherdevices connected to the network 105 by way of this network 105. Thehost bus adapter 305 comprises communication control functions forwriting and reading data to and from the storage device 104 by way ofthe SAN 106.

The external storage device 303, for example, is a high-capacity storagemedium configured from a hard disk device, and is utilized for holdingvarious types of programs, such as a hypervisor program 310.

The hypervisor program 310 is for running a virtual client using thehardware resources of the first physical client 102A, such as the CPU301, main memory 302, external storage device 303 and communicationcontroller 304, on the basis of machine image information 320 stored inthe storage device 104. “Machine image information” refers to thevarious types of information required for starting up virtual clientsrespectively provided to the user terminals 107, these virtual clientscomprising the specifications, numbers and capacities of hardware suchas the virtual client CPU, memory and communication controller, the BIOSsettings, and a disk image for virtual machine disk emulation.

The hypervisor program 310 also comprises a performance informationacquisition function 311. The performance information acquisitionfunction 311 is able to acquire the CPU utilization rate and the amountof memory being used in the first physical client 102A by way of thenetwork 105. Methods for acquiring information in accordance with theperformance information acquisition function 311, for example, include amethod that provides MIB (Management Information Base) information inaccordance with a SNMP (Simple Network Management Protocol) agent, amethod that comprises a WMI or other such management interface, or amethod that uses SSH to remotely execute a performance informationacquisition command.

Virtual machine (virtual client) machine image information 320, which isused by the hypervisor program 310, is stored in the storage device 104.The storage device 104 is connected to the first and second physicalclients 102A, 102B by way of the SAN 106, and the machine imageinformation 320 may be referenced by the hypervisor program 310 runningon either the first or second physical client 102A, 102B. In the case ofthis embodiment, the machine image information 320 is configured fromeither one or plurality of reproducible files.

The hypervisor program 310 reads in the machine image information 320,determines the resource capacity (CPU processing time, memory capacity,disk capacity, and so forth) to be allocated to a virtual machine andthe hardware (CPU, communication controller and the like) to beemulated, and performs virtual machine (virtual client) emulation byconverting the control of the resource capacity to be allocated to thevirtual machine and the commands for the hardware to be emulated tocommands for the various hardware resources of the first and secondphysical clients 102A, 102B. The hypervisor program 310 also reads inprograms, such as an OS and application, and various types of settinginformation and/or user data stored in the disk image inside the machineimage information 320, and executes the various types of software thatwill run on the virtual machine. In addition, the hypervisor program 310comprises a function for copying various files stored in either theexternal storage device 303 or the storage device 104 via the network105 the same as an ordinary OS.

(1-4) VM Management Server Configuration

FIG. 8 shows a simplified configuration of the VM management server 103of this embodiment. The VM management server 103 comprises a CPU 401, amain memory 402, an instruction input device 403, a display 404, anexternal storage device 405, and a communication controller 406, andthese components are configured in accordance with being interconnectedby way of a system bus 407.

The CPU 401 is a processor in charge of controlling the overalloperations of the VM management server 103. Processing such as thatdescribed hereinbelow is performed by the VM management server 103 inaccordance with this CPU 401 executing various programs stored in themain memory 402. Further, the main memory 402, in addition to being usedfor holding various types of programs and information, is also utilizedas the CPU 401 working memory.

The instruction input device 403 is for inputting a variety ofinstructions to the security management server 101, and is configuredfrom a keyboard and/or mouse. The display 404, for example, isconfigured from a liquid crystal panel or CRT, and, under the control ofthe CPU 401, displays the status and results of processes executed bythe VM management server 103.

The external storage device 405, for example, is a high-capacity storagemedium configured from a hard disk device, and is utilized for storingvarious types of programs and data. A program stored in the externalstorage device 405 is loaded into the main memory 402 in accordance witha program start command from the instruction input device 403, and isexecuted by the CPU 401. The communication controller 406 is used forexchanging various data and commands with the other devices connected tothe network 105 by way of this network 105.

The principal programs stored in the external storage device 405 of theVM management server 103 in accordance with this embodiment will beexplained here.

In the case of this embodiment, the above-mentioned VM management server103 manages the virtual clients running on the first and second physicalclients 102A, 102A. As means for achieving this, a group of programs,such as a VM management program 410, a VM migration program 411, and amanagement information reference program 412, a virtual machinemanagement table 420 and a physical machine management table 421 arestored in the external storage device 405 as shown in FIG. 8.

Of these programs, the VM management program 410 is for carrying out thecreation, deletion, startup and shutdown of a virtual machine inaccordance with an instruction from the user utilizing the instructioninput device 403 and instructions from other programs via the network105, and, based on the results thereof, for registering the managementinformation and statuses of the respective virtual machines in thevirtual machine management table 420. The VM management program 410 alsohas functions for either partially or entirely reproducing the machineimage of an existing virtual machine, and in accordance with technologyconforming thereto, creating a virtual machine having the sameconfiguration as the existing virtual machine. The creation of thisvirtual machine, for example, is realized by issuing an instruction tothe hypervisor program 310 by way of the network 105 to copy the fileconstituting the machine image in accordance with a machine imagereproduction command using the instruction input device 403.

The VM migration program 411 is for migrating a virtual machine on onephysical machine to another physical machine in accordance with aninstruction from a user utilizing the instruction input device 403, andinstructions from other programs by way of the network 105.

The management information reference program 412 is for restoring theinformation of the virtual machine management table 420 and the physicalmachine management table 421 in accordance with an instruction from auser utilizing the instruction input device 403, and instructions fromother programs by way of the network 105.

The virtual machine management table 420 is used for managing varioustypes of management information, such as virtual machine identificationinformation, IP addresses, identification information of the physicalclient (the first or second physical client 102A, 102B) on which thevirtual machine is running, the required resource capacity (resourcecapacities of the CPU, memory and so forth allocated to the virtualmachine), and the status (“running” or “suspended”) for the respectivevirtual machines targeted for management by the VM management server103.

This virtual machine management table 420 is substantially configuredfrom a machine ID column 420A, an IP address column 420B, acorresponding physical machine ID column 420C, a status column 420D, anda resource information column 420E as shown in FIG. 9. The respectivemachine ID column 420A, IP address column 420B and correspondingphysical machine ID column 420C store the same information as that ofthe machine ID column 223A, IP address column 223B and correspondingphysical machine ID column 223C for the entries corresponding to thevirtual client from among the entries of the client management table 223described above with respect to FIG. 6. The status column 420D stores avalue representing the status (running or suspended) of thecorresponding virtual machine at the time.

The resource information column 420E is configured from a CPU column420EA, a memory column 420EB and a disk column 420EC, and the CPU column420EA, memory column 420EB and disk column 420EC respectively store thesame information as the information stored in the CPU column 223DA,memory column 223DB and disk column 223DC corresponding to the clientmanagement table 223 of FIG. 6.

The physical machine management table 421 is for managing the physicalmachines connected to the network 105 (the first and second physicalclients 102A, 102B in this embodiment), and as shown in FIG. 10, isconfigured from a machine ID column 421A, an IP address column 421B, anda resource information column 421C.

The machine ID column 421A stores identification information that hasbeen assigned to a corresponding physical machine, and the IP addresscolumn 421B stores the IP address information of this physical machine.The resource information column 421C is configured from a CPUinformation column 421CA, a memory information column 421CB, and a diskinformation column 421CC, and the CPU information column 421CA, memoryinformation column 421CB, and disk information column 421CC respectivelystore the specifications for the CPU, memory and disk mounted in thecorresponding physical machine.

(1-5) Logical Configuration and Setting Contents

Next, the logical configuration of the network system 100 according tothis embodiment will be explained. FIG. 11 shows an example of thelogical configuration of the network system 100 of this embodiment.

First through fourth virtual clients VM1 through VM4 exist in thehypervisor program 310A of the first physical client 102A, and thestatuses of these first through fourth virtual clients VM1 through VM4constitute running for the first through the third virtual clients VM1through VM3, and constitutes suspended for the fourth virtual clientVM4. Not even one virtual client exists in the hypervisor program 310Bof the second physical client 102B.

The machine images of the first through the fourth virtual clients VM1through VM4 are stored in the storage device 104. The machine images ofthe second through the fourth virtual clients VM2 through VM4 werecreated by reproducing the machine image of the first virtual clientVM1. The machine image reproductions, for example, are realized inaccordance with the administrator using the VM management server 103 toissue an instruction to the hypervisor program 310A via the network 105to copy the file configuring the machine image.

As for the first virtual client VM1, when the administrator is creatinga virtual client to provide to an ordinary user, the administratorreproduces and uses the machine image information 320 to create a newvirtual client so as not to have to construct a virtual client fromscratch.

The second through fourth virtual clients VM2 through VM4 are virtualmachines used by ordinary users, and these second through fourth virtualclients VM2 through VM4 are customized by the ordinary user. However, inthis embodiment, the items capable of being customized by an ordinaryuser are limited to (A) through (C) below in accordance with the userprivilege settings and OS settings (registry and other such settings)with respect to the directories and files of the first virtual clientVM1.

(A) Individual desktop environment settings (such as the wallpaper andscreensaver settings)(B) Individual profile information (such as a personal password)(C) The creation, alteration and deletion of user files, or theallocation of files introduced from outside (allocation of filesintroduced from outside the machine via charitable media or the network105) to a specific directory accessible via user privileges.

Information related to the first through fourth virtual clients VM1through VM4 is registered in a virtual machine management table 420(FIG. 9) of the VM management server 103. Further, information relatedto the first and second physical clients 102A, 102B is registered in aphysical machine management table 421 (FIG. 10).

Furthermore, information to the effect that the master VM of the secondthrough fourth virtual clients VM2 through VM4 is the first virtualclient VM1 is respectively registered in the individual VM/master VMcorrespondence management table 221 (FIG. 4) of the security managementserver 101.

(1-6) Processing Steps

Next, the processing steps of the respective programs related to thevirtual client security management method according to this embodimentwill be explained. Hereinbelow, the various processes will be explainedas being performed by a “program”, but of course the corresponding CPU201, 301, 401 will actually execute this processing on the basis of the“program”.

(1-6-1) Security Management Control Program Process

First, the processing of the security management control program 210(FIG. 2) of the security management server 101 (FIG. 2) will beexplained. FIG. 12 shows the processing steps of the security managementcontrol process executed in accordance with the security managementcontrol program 210 of this embodiment.

The security management control program 210, upon being started up inaccordance with a security check start instruction command from theinstruction input device 203, first acquires from the managementinformation reference program 412 of the VM management server 103information related to the respective virtual clients running on thefirst and second physical clients 102A, 102B, and stores the acquiredinformation related to the respective virtual clients in the clientmanagement table 223 (SP100).

Next, the security management control program 210 determines whether ornot a check policy has been registered in the check policy managementtable 220 (SP101). If a negative result is obtained in thisdetermination, the security management control program 210 then outputsto the display 204 a message urging the setting of a check policy, andends this security management control process (SP109).

By contrast, if an affirmative result is obtained in the determinationof Step SP101, the security management control program 210 generates acheck ID (the CID in FIG. 5), which is unique identification informationfor each series of security check processes (a series of processes untilchecks of all the check items have been completed in accordance withrepeated processing of SP104) (SP102). This check ID is used fordetermining whether or not the check result stored inside the checkresult management table 222 is the check result of the current securitycheck. As long as it is unique, the check ID may be character stringdata such as a GUID (Global Unique Identifier), the uniqueness of whichis guaranteed, serial number numeric data, or data of another format.Next, the security management control program 210 acquires the presentdate and time from the OS 214, and stores this date/time in the memory202 (SP103).

Thereafter, the security management control program 210 repeatedlyexecutes the processing of Steps SP105 through SP108 explainedhereinbelow until checks of all the check items set in the check policyhave been completed (SP104).

That is, the security management control program 210 executes thesecurity check program 213 and carries out security checks for eachvirtual client (SP105). Furthermore, upon executing the security checkprogram 213, the security management control program 210 transfers thecheck ID created in Step SP102, the date/time data acquired in StepSP103, and an interval time (=T) for the repetitive processes of StepSP104 in accordance with the program arguments. In this embodiment, thevalue of the interval time is assumed to be a fixed value T stipulatedby the system, but the configuration may also be such that theadministrator specifies the interval time value as one item of the checkpolicy.

Next, the security management control program 210 verifies the checkresult management table 222, and determines whether or not there remainsa check item for which checking has still not been completed (SP106).

When an affirmative result is obtained in this determination, afterwaiting for a fixed period of time (=T) (SP107), the security managementcontrol program 210 returns to Step SP104 and thereafter repeats theprocessing of Steps SP104 through SP107 until a negative result isobtained in Step SP106.

Then, the security management control program 210, upon eventuallyobtaining a negative result in Step SP106 in accordance with completingthe security check for all the check items, ends this securitymanagement control process (SP108).

(1-6-2) Setting Program Process

FIG. 13 shows the processing steps of a setting process executed inaccordance with the setting program 211 of the security managementserver 101 (FIG. 2). The setting program 211, upon being started up inaccordance with a setting program start instruction command from theinstruction input device 203, at that time displays on the display 204 amessage urging the specification of an item (called the setting targetitem hereinafter) as to what type of setting is to be performed, andwaits for the administrator to specify a setting target item (SP200).

Then, when the setting target item has eventually been specified, thesetting program 211 then determines if the setting target item specifiedat this time is either of a “check policy setting” or an “individualVM/master VM corresponding relationship setting” (SP201).

In a case where the setting target item specified at this time isdetermined to be the “check policy setting” in the determination of StepSP201, the setting program 211 then displays on the display 204 apredetermined GUI window for setting a check policy (called the checkpolicy setting window hereinafter). The administrator is thereby able toset a desired check policy by using this check policy setting window.The setting program 211 then stores the check policy set by theadministrator at this time in the check policy management table 220(SP202), and thereafter ends the setting process.

In a case where the setting target item specified at this time isdetermined to be the “individual VM/master VM corresponding relationshipsetting” in the determination of Step SP201, the setting program 211displays on the display 204 a predetermined GUI window for setting anindividual VM/master VM corresponding relationship (called theindividual VM/master VM correspondence setting window hereinafter). Theadministrator is thereby able to set a desired individual VM/master VMcorresponding relationship by using this individual VM/master VMcorrespondence setting window. The setting program 211 then stores theindividual VM/master VM corresponding relationship set by theadministrator at this time in the individual VM/master VM correspondencemanagement table 221 (SP203), and thereafter ends the setting process.

When it has been determined in the determination of Step SP201 that thesetting target item specified at this time is neither a “check policysetting” nor an “individual VM/master VM corresponding relationshipsetting”, the setting program 211 displays an error on the display 204(SP204), and thereafter ends this setting process.

An example of the configuration of the check policy setting window isshown in FIG. 14. In the check policy setting window 500 of FIG. 14,there is disposed check policy advanced setting portions 501 through505, each of which corresponds to preset items that serve as the checkitems of a security check. In the case of this embodiment, theabove-mentioned check items include five preset items: “update programdetermination”, “anti-virus product determination”, “unauthorizedsoftware determination”, “compulsory software determination” and“security setting determination”.

For example, in the check policy advanced setting portion 501corresponding to the check item “update program determination”, it ispossible to specify an update program to check whether or not an updatehas been applied, and it is possible to specify a check target,priority, and check period for each specified update program.

In check policy advanced setting portion 502 corresponding to the checkitem “anti-virus product determination”, it is possible to specify anauthorized anti-virus product and the virus definition file version anddate of this anti-virus product, a check target, priority, and checkperiod.

In check policy advanced setting portion 503 corresponding to the checkitem “unauthorized software determination”, it is possible to specifyinstallation-prohibited software and the version of this software, andit is possible to specify a check target, priority, and check period foreach specified software.

In check policy advanced setting portion 504 corresponding to the checkitem “compulsory software determination”, it is possible to specifysoftware that must always be installed, and it is possible to specify acheck target, priority, and check period for each specified software.

In check policy advanced setting portion 505 corresponding to the checkitem “security setting determination”, it is possible to specify checkyes/no, a check target, priority, and check period for each check itemrelated to a security setting prepared beforehand.

In the check policy advanced setting portions 501 through 504 other thancheck policy advanced setting portion 505 corresponding to the checkitem “security setting determination”, there are disposed radio switches501A through 504A for specifying whether or not to make the respectivecorresponding check items check targets.

After inputting the required items into the desired check policyadvanced setting portion 501 in the check policy setting window 500, itis possible to close this check policy setting window 500 by clicking oneither an OK button 506 or a Cancel button 507.

In a case where the OK button 506 is clicked at this time, the settingprogram 211 either registers the information specified in the checkpolicy setting window 500 anew in the check policy management table 220,or updates the check policy management table 220 based on theinformation specified in the check policy setting window 500, and in acase where the Cancel button 507 is clicked, ends the processing withoutdoing anything.

An example of the configuration of the individual VM/master VMcorrespondence setting window is shown in FIG. 15. The individualVM/master VM correspondence setting window 600 shown in FIG. 15comprises a management target VM list display portion 601 for displayinga management target virtual client acquired from the client managementtable 223; a registered information display portion 602 for showing therelationship between an individual VM and a master VM registered in theindividual VM/master VM correspondence management table; and acorrespondence information additional setting portion 604 for specifyingan additional correspondence between an individual VM and master VM.

When a Delete button 603 is clicked in a state in which a check box 607,which corresponds to any corresponding relationship of the correspondingrelationships of the individual VM and master VM displayed in theregistered information display portion 602, has been checked, thesetting program 211 deletes the information related to the correspondingrelationship between this individual VM and master VM from theindividual VM/master VM correspondence management table 221.

Further, when an Add button 605 is clicked subsequent to an individualVM and master VM pair being specified in the correspondence informationadditional setting portion 604, the setting program 211 adds thespecified information to the individual VM/master VM correspondencemanagement table 221.

When an End button 606, which is displayed at the bottom right of theindividual VM/master VM correspondence setting window 500, is clicked,the setting program 211 closes this individual VM/master VMcorrespondence setting window 500 and ends the process.

(1-6-3) Security Check Program Processing

Next, the contents of security check program 213 processing in StepSP105 of FIG. 12 will be explained. As described hereinabove, thesecurity check program 213 receives from the security management controlprogram 210 the check ID created in Step SP102, the date/time dataacquired in Step SP103, and the interval time (=T) of the repeatedprocessing of Steps SP105 through SP108.

FIG. 16 shows the processing steps of the security check processexecuted by the security check program 213 of the security managementserver 101. The security check program 213 first acquires the managementinformation of the respective virtual clients by referencing the clientmanagement table 223, references the individual VM/master VMcorrespondence management table 221, and categorizes the acquiredmanagement information of the respective virtual clients as toindividual VM management information and master VM managementinformation (SP300).

Next, the security check program 213 acquires, from among the managementinformation categorized in Step SP300, the master VM managementinformation, and repeatedly executes the below-described Steps SP302through SP315 for all master VM (SP301).

Specifically, the security check program 213 acquires informationrelated to a master VM check item from the check policy management table220, and, from among the check results of the master VM targeted at thistime, acquires the result of the current security check (that is, theentry information that coincides with the check ID) from the checkresult management table 222.

Next, the security check program 213 references the master VM check itemacquired in Step SP302 and the check result of the security check of themaster VM targeted at this time, and determines if an unchecked checkitem exists (SP303).

The security check program 213, upon obtaining a negative result in thisdetermination, returns to Step SP301.

When an affirmative result is obtained in Step SP303, the security checkprogram 213 then, based on the priorities set in the check policymanagement table 220, categorizes the unchecked check items of thetargeted master VM into check items of “high” priority, check items of“medium” priority, and check items of “low” priority. The security checkprogram 213 also lists up expired-check-period check items based oninformation related to the date/time information acquired from thesecurity management control program 210, the current date/time, and thecheck period set in the check policy management table 220 (SP304). Asfor the period expiration determination, in a case where a time arrivedat by adding the time period recorded in the check period to the timeextracted in SP103 and stored in the memory 202 (that is, the start timeof the series of check processes) is older than the current time, thecheck period is determined to have expired. Furthermore, in thisembodiment, the check period is described as a period of time thatelapses from the start time of a series of check processes, but theexpiration of the check period may also be determined when a UNIX(registered trademark) time period (the number of seconds from Jan. 1,1970 at 0 hours, 0 minutes, 0 seconds) or a specific date/time arerecorded, and the time recorded in the check period is older than thecurrent time. In accordance with this, a virtual client that has passedthe security check of this check item need not have the security checkexecuted for the same item again.

The security check program 213 acquires information stored in thevirtual machine management table 420 by the management informationreference program 412 of the VM management server 103 and informationstored in the physical machine management table 421, and, based on thisinformation and the virtual machine management table 420, alsodetermines whether or not the targeted master VM is currently running(SP305). Furthermore, when a prescribed VM is suspended, this refers toa state in which the hypervisor program 310 ends the execution of theapplication program, OS or other software running on the prescribed VM,and frees up the area of the main memory 302 of the physical client 102that had been used to provide the prescribed VM, i.e., the state inwhich the so-called prescribed VM has ended (the state prior to theinitialization of the prescribed VM). However, a case where theprescribed VM is suspended in this embodiment may also include atemporary suspended state in which the hypervisor program 310 writes thecontents of the prescribed VM-provided register and memory space back tothe machine image, and ends the execution of the application program, OSand other such software running on the prescribed VM. In order torestart the processing and run the temporarily suspended VM once again,the hypervisor program 310 reads in various types of information fromthe VM machine image, such as the contents of the memory space and thecontents of the register, and based on the contents thereof, restoresthe register and memory space contents of the prescribed VM, making itpossible to recommence software execution as a VM. Therefore, in a caseapplying to a temporarily suspended VM, the process for virtual machine(virtual client) emulation noted in the explanation of the hypervisorprogram 310 may also be read as the carrying out of the above-mentionedrestoration.

When a negative result is obtained via this determination, the securitycheck program 213 then acquires the resource capacity required for thismaster VM on the basis of the information of the virtual machinemanagement table 420 acquired in Step SP305. Additionally, the securitycheck program 213 also acquires the capacities (called the requiredresource capacity hereinafter) of the various resources (CPU, memory,disk, etc.) required in the respective physical clients (the first andsecond physical clients 102A, 102B) from the physical machine managementtable 421. The security check program 213 also uses an IP addressacquired from the same physical machine management table 421 to remotelyaccess the respective physical clients (the first and second physicalclients 102A, 102B), acquire the current performance information (CPUutilization rate and amount of memory being used) from the performanceinformation acquisition function 311 of these physical clients, andcompute the system resource capacity that is currently free (SP306).

Next, the security check program 213 compares the required resourcecapacity of the targeted master VM and the currently free systemresource capacity acquired in Step SP306, and determines whether or notit is possible to start up this master VM (SP307).

In a case where it has been determined in accordance with thisdetermination that it will not be possible to start up this master VM,the security check program 213 references the categorization results ofthe unchecked check items for this master VM created in Step SP304(SP308), and if there is either a check item having a “high” priority ora check item for which the check period has expired, issues an alert tothe administrator (SP309). As long as the method for issuing the alertto the administrator is one that notifies the administrator to theeffect that there is a shortage of resources, any of a variety of widelyused methods may be applied, to include displaying a message on thedisplay 204 or sending an e-mail addressed to the administrator. Then,the security check program 213 returns to Step SP301 and thereafterrepeats the same processing.

The security check program 213, in a case where the determination inStep SP307 was that there is not enough resource capacity for two ofthese master VM (a case where starting up the targeted master VM willmean that other VM will not be able to be run), references thecategorization results of the unchecked check items for this master VMcreated in Step SP304, and determines whether or not there are checkitems either having a “high” or “medium” priority or having an expiredcheck period (SP310).

Then, when an affirmative result is obtained via this determination, thesecurity check program 213 uses the VM management program 410 of the VMmanagement server 103 to start up this master VM (SP311). Specifically,the security check program 213 reads the corresponding machine imageinformation 320 from the storage device 104 into this hypervisor program310 in accordance with controlling either the first or second physicalclients 102A, 102B, and deploys this information to the main memory 302.However, in a case where there is a shortage of free resources in thephysical client (either the first or second physical client 102A, 102B)that will run this master VM, the security check program 213 starts upthe master VM subsequent to using the VM migration program 411 of the VMmanagement server 103 to migrate this master VM to the physical clientthat has the most free resources.

Next, the security check program 213 carries out security checks for thetargeted master VM with respect to a check item having a “high”priority, a check item having a “medium” priority, and a check itemhaving an expired check period, and stores the check results thereof inthe check result management table 222. For a check item for which thecheck target is “master”, the security check program 213 also stores thecheck results for this master VM in the check result management table222 as the check results of a security check of individual VM related tothis master VM. Furthermore, for a check item for which the check targetis “master or individual”, the security check program 213 stores thecheck results of the security check for this master VM in the checkresult management table 222 as the check results for individual VMrelated to this master VM only in a case where the check result showsthat the master VM passed this security check (Step SP312). The securitycheck program 213 then returns to Step SP301, and thereafter repeats thesame processing.

Furthermore, in a case where the determination in Step SP307 was thatthere are enough free resources inside the corresponding physical client(either the first or second physical client 102A, 102B) for two or moreof the master VM, the security check program 213 uses the VM managementprogram 410 of the VM management server 103 to start up this master VM(Step SP313). In a case where the free resources of the physical clientthat is to run the master VM (either the first or second physical client102A, 102B) are insufficient at this time, the security check program213, similarly to Step SP311, starts up this master VM subsequent tousing the VM migration program 411 of the VM management server 103 tomigrate this master VM to the physical client having the most freeresources.

Next, the security check program 213 carries out a security check forthe targeted master VM, and stores the check result thereof in the checkresult management table 222. The same as in Step SP312, the securitycheck program 213 stores the check results of the security check of thismaster VM in the check result management table 222 as the check resultsfor individual VM related to this master VM in accordance with the checktarget setting (SP314). Then the security check program 213 returns toStep SP301 and thereafter repeats the same processing.

The processing of Steps SP307 through SP314 is an example, and, forexample, Steps SP308 and SP309 may also be carried out in a case wherethe determination in Step SP307 is that there are not enough freeresources for two of these master VM.

By contrast, when an affirmative result is obtained in the determinationof Step SP305, the security check program 213 only carries out asecurity check for the targeted master VM with respect to a check itemhaving a “high” priority and a check item having an expired checkperiod, and stores the check results thereof in the check resultmanagement table 222. In a case where a master VM is started up likethis, the reason for carrying out a security check only for a check itemhaving a “high” priority and a check item having an expired check periodis so as not to interfere with any processing that could be performed bythis master VM when this master VM is running. The same as in StepSP312, the security check program 213 also stores the check results ofthe security check for this master VM in the check result managementtable 222 as the check results for individual VM related to this masterVM in accordance with the check target setting (SP315). Then, thesecurity check program 213 returns to Step SP301, and thereafter repeatsthe same processing.

Next, the security check program 213 acquires individual VM managementinformation from the management information categorized in Step SP300,and repeatedly executes the processing of the below-described StepsSP317 through SP330 for all the individual VM (SP316).

Specifically, the security check program 213 acquires informationrelated to the check item of an individual VM from the check policymanagement table 220, and, from among the check results of theindividual VM targeted at this time, also acquires the results of thecurrent security check process (that is, the entry information thatcoincides with the check ID) from the check result management table 222(SP317).

Next, the security check program 213 references the check item of thesecurity check for the individual VM acquired in Step SP317 and thecheck result of the security check for the individual VM targeted atthis time, and determines if an unchecked check item still exists(SP318).

The security check program 213 returns to Step SP316 upon obtaining anegative result in this determination.

When an affirmative result is obtained in Step SP318, the security checkprogram 213 then lists up, similarly to Step SP304, the unchecked checkitems for the targeted individual VM (SP319).

Next, the same as in Step SP305, the security check program 213determines whether or not the targeted individual VM is running (SP320),and when this individual VM is running, respectively acquires therequired resource capacity of this individual VM and the currentperformance information of the physical client, and computes the systemresource capacity that is currently free the same as in Step SP306(SP321).

Next, the security check program 213 determines whether or not it ispossible to start up this individual VM the same as in Step SP307(SP322).

In a case where it has been determined that it will not be possible tostart up this individual VM, if there is either a check item having a“high” priority or a check item for which the check period has expiredamong the unchecked check items of this individual VM, the securitycheck program 213 then issues an alert to the administrator the same asin Step SP308 (SP323, SP324). Then the security check program 213returns to Step SP316, and thereafter repeats the same processing.

In a case where the determination in Step SP322 is that there are notenough free resources for two of these master VM (a case where runningthe targeted master VM will mean that other VM will not be able to berun), the security check program 213 also references the categorizationresults of the unchecked check items for this individual VM created inStep SP319, and determines whether or not there are check items eitherhaving a “high” or “medium” priority or having an expired check period(SP325).

Then, when an affirmative result is obtained via this determination, thesecurity check program 213 starts up this individual VM the same as inStep SP311 (SP326).

The security check program 213 also carries out a security check forthis individual VM only in respect to the check items having a “high” or“medium” priority and the check item having an expired check period, andstores the check results thereof in the check result management table222 the same as in Step SP312 (SP327). Then, the security check program213 returns to Step SP316, and thereafter repeats the same processing.

Furthermore, in a case where the determination in Step SP322 is thatthere are enough free resources inside the corresponding physical client(either the first or second physical client 102A, 102B) for two or moreof these master VM, the security check program 213 starts up thisindividual VM using the same procedure as in Step SP313 (SP328), andthereafter carries out a check for this individual VM using the sameprocedures as in Step SP314, and stores the check results in the checkresult management table 222 (SP329). The security check program 213 thenreturns to Step SP316, and thereafter repeats the same processing.

By contrast, when an affirmative result is obtained in the determinationof Step SP320, the security check program 213 carries out a securitycheck for this individual VM only with respect to the check item havinga “high” priority and the check item having an expired check period, andstores the check results thereof in the check result management table222 the same as in Step SP315 (SP330). Then, the security check program213 returns to Step SP316, thereafter repeats the same processing, andwhen the processing of Steps SP317 through SP330 eventually ends for allthe individual VM, ends this security check process.

(1-6-4) VM Information Collection Program Processing

Next, the contents of the processing of the VM information collectionprogram 212 (FIG. 2) of the security management server 101 (FIG. 2) willbe explained.

FIG. 17 shows the processing steps of the VM information collectionprocess executed by the VM information collection program 212 inaccordance with this embodiment. The VM information collection program212 first invokes the management information reference program 412 ofthe VM management server 103, and acquires the respective virtualmachine management information (called the virtual machine managementinformation hereinafter) from the virtual machine management table 420(SP400).

Next, the VM information collection program 212 stores either part orall of the acquired virtual machine management information in the clientmanagement table 223 (SP401). Thereafter, this VM information collectionprocess ends.

(1-7) Working and Effect of this Embodiment

An example of the working of this embodiment is shown in FIG. 18. Forexample, check item “C1-01” in the check policy management table 220 isimplemented for virtual machine VM1, and in a case where virtual machineVM1 passes the check (“C1-01-(1)” in FIG. 18), it is possible to set thecheck result for each individual VM to “0” without carrying out checksfor the individual VM (VM2 through VM4) (“C1-01-(2)” in FIG. 18).Consequently, it is possible to speed up the security check processwhile shortening the throughput of the security check process andreducing the impact on the virtual client user.

In a case where check item “C5-01” in the check policy management table220 is implemented for virtual machine VM2, the priority of this checkitem “C5-01” is “low” if virtual machine VM2 is in use, so the check isskipped, but the check process is carried out later when the virtualmachine VM2 is not being used (“C5-01” in FIG. 18). Consequently, it ispossible to reduce the impact of the security check process on the userof virtual machine VM2.

In a case where check item “C3-02” in the check policy management table220 is implemented for virtual machine VM3, the priority of this checkitem “C3-02” is “high” so the check process for this check item isimplemented despite the fact that virtual machine VM3 is in use(“C3-02-(1)” in FIG. 18). Similarly, if there is a shortage of resourcesin the first physical client 102A when check item “C3-02” is implementedfor virtual machine VM4 (“C3-02-(2)” in FIG. 18), virtual machine VM4 ismigrated to the second physical client 102B before the check process isimplemented (“C3-02-(3)” in FIG. 18). Consequently, it is possible tocarry out a check quickly for a high-priority check item.

According to the above-described security management method of thisembodiment, since it is possible to selectively execute a security checkfor a virtual machine of a required type by check item, an unnecessarysecurity check for a virtual machine of a type that is not required maybe omitted. In this way, it is possible to carry out a virtual clientsecurity check quickly and efficiently.

According to the prior art, the problem is that a considerable load isplaced on the check-targeted client side as well as on the managementserver side that is carrying out the check process by virtue of theexecution of a security check for the virtual clients, but in accordancewith the security management method of this embodiment, it is possibleto realize increased speed using a method that shortens the throughputof the security check rather than a method that increases speed viaparallel execution by a plurality of management servers.

(2) Second Embodiment

(2-1) Network System Configuration According to this Embodiment

Next, a second embodiment will be explained. This embodiment is based onvirtualization technology (for example, the technology of PatentDocument 2 or Non-Patent Document 1) whereby a plurality ofmanagement-targeted virtual clients share machine configurationinformation (either all or part of a certain machine image), and when achange is made to the shared machine configuration information, thischange is reflected in all of the virtual clients that are sharing thismachine configuration information, particularly virtualizationtechnology whereby a change added to shared machine configurationinformation is not reflected in a virtual client that is alreadyrunning, but rather, this change is reflected when the OS of the virtualclient is rebooted. Furthermore, an OS reboot is not only a case wherethe OS processing of a running virtual client is ended and rebooted, butrather also includes a case where the virtual client transitions to thesuspended state subsequent to the termination of this virtual client'sOS, and thereafter the virtual client is started up and the OS boots up.A method realized in accordance with the following processing isconsidered an example of virtualization technology that reflects achange in this manner. However, a method other than this may also beused.

(Step 1) Records a change in the master VM. The change recording methodrecords the specified change in accordance with the individual filenamesthat were changed or the file system addresses of the change. Adifferent method for specifying a change may also be used. Updated dataand pre-update data may also be recorded. This recording may be carriedout by the hypervisor program, a master VM or another computer.

(Step 2) Detects the rebooting of the individual VM OS, and copies therecorded change data from the master VM disk image to the individual VMdisk image. This detecting and copying may be carried out by thehypervisor program, the master VM, or a different computer. If theabove-mentioned copy is inconsistent with either a file or setting thatonly exists in individual VM, the copying of the file (or data)containing the inconsistency will be suppressed.

(Step 3) Starts up the individual VM OS subsequent to copying. Thesoftware execution environment for reflecting the copied file (data) isthereby realized on the individual VM.

However, the present invention may be applied within the scope of thefirst embodiment as virtualization technology that does not require therebooting of the virtual client in order to reflect a change in theshared information.

Since this embodiment does not depend on the implementation of theabove-mentioned virtualization technology, a detailed explanation ofvirtualization technology will be omitted, and the explanation will belimited simply to an example. Further, the above-mentionedvirtualization technology comprises technology, in which the sharedmachine configuration information is the machine image itself and avirtual machine is able to be configured by shared machine configurationinformation alone (called virtualization technology 1 hereinafter), andtechnology whereby a virtual machine is not configurable via sharedmachine configuration information alone, but an individual virtualclient is configurable by combining the shared machine configurationinformation with the individual machine configuration informationpossessed by each individual virtual client (called virtualizationtechnology 2 hereinafter). In this embodiment, a system that makes itpossible to support both virtualization technology 1 and virtualizationtechnology 2 like this will be explained.

In FIG. 19, in which parts corresponding to FIG. 1 have been assignedthe same reference numerals, 700 denotes an entire network systemaccording to the second embodiment. This network system 700 isconfigured the same as the network system 100 according to the firstembodiment except for the different programs and types of informationheld in the external storage device 303 of the first and second physicalclients 702A, 702B (FIG. 20) and the storage device 703, and the checkitems of the security check executed by the security management server701 and the processing steps of this security check.

First, the configurations of the first and second physical clients 702A,702B according to this embodiment will be explained. FIG. 20, in whichparts corresponding to FIG. 7 have been assigned the same referencenumerals, shows the configuration of the first physical client 702A inaccordance with the second embodiment. The configuration of the secondphysical client 702B is the same as that of the first physical client702A.

The external storage device 303 of the first physical client 702A holdsa VM image management program 800 in addition to the hypervisor program310. Further, a storage device 703 stores either one or a plurality ofVM shared configuration information 801, one or a plurality ofindividual VM configuration information 802, and shared/individualcorrespondence information 803.

The VM shared configuration information 801 is either a portion or allof the information for configuring either one or a plurality of virtualclients, and typically is shared among a plurality of virtual clients.In the above-mentioned virtualization technology 1, the VM sharedconfiguration information 801 is the machine image of a certain virtualclient, and in the above-mentioned virtualization technology 2, the VMshared configuration information 801 is a portion of the information forconfiguring a certain virtual client.

The individual VM configuration information 802 is a portion of theinformation for configuring a virtual client, such as customizedinformation for each individual virtual client. In the above-mentionedvirtualization technology 1, the individual VM configuration information802 is the difference information with respect to a virtual clientconfigured from only the VM shared configuration information 802, and inthe above-mentioned virtualization technology 2, the individual VMconfiguration information 802 is information that is combined with theVM shared configuration information 801 to configure a certain virtualclient.

The shared/individual correspondence information 803 is informationdenoting the VM shared configuration information 801 respectivelyassociated to the individual VM configuration information 802.

The VM image management program 800 manages the VM shared configurationinformation 801 and the individual VM configuration information 802, andprovides a virtual machine image to the hypervisor program 310. That is,the hypervisor program 310 in this embodiment accesses the machine imageby way of the VM image management program 800.

For example, the VM image management program 800, based on theshared/individual correspondence information 802, virtually constructs amachine image that combines the VM shared configuration information 801and the individual VM configuration information 802. In a case wherethere has been a change to certain VM shared configuration information801, the VM image management program 800 also manages both thepre-change information and the post-change information until confirmingthat the post-change information has been reflected in all of thevirtual clients (that is, until the pre-change information in no longerrequired), and provides either the pre-change or the post-change inaccordance with a hypervisor program 310 request.

(2-2) Logical Configuration

Next, the portion of the logical configuration of network system 700according to this embodiment that differs from the logical configurationof network system 100 according to the first embodiment describedhereinabove (refer to FIG. 11) will be explained. In this embodiment, itis supposed that the VM shared configuration information 801 is amachine image having sufficient information to start up a virtualmachine using only this information as in the above-mentionedvirtualization technology 1.

FIG. 21 shows a logical configuration of the network system 700according to the second embodiment. The storage device 703 stores VMshared configuration information 801, and individual VM configurationinformation 802 (difference information with respect to the VM sharedconfiguration information 801) for the respective virtual clients(second through fourth virtual clients VM2 through VM4) other than thefirst virtual client VM1.

As mentioned above, the VM shared configuration information 801 is amachine image having sufficient information to start up the firstvirtual client VM1 using this information alone, but a configuration, inwhich individual VM configuration information 802 for the first virtualclient VM1 is stored in the storage device 703, and the first virtualclient VM1 has sufficient information to start up a virtual machine bycombining the VM shared configuration information 801 with theindividual VM configuration information 802 for this first virtualclient VM1, may also be adopted.

The second through fourth virtual clients VM2 through VM4 are virtualmachines created on the basis of the first virtual client VM1, and themachine images of these second through fourth virtual clients VM2through VM4 are virtually configured by combining the VM sharedconfiguration information 801 with the individual VM configurationinformation 802 for the respective virtual clients in accordance withthe VM image management program 800.

In this embodiment, except for uninstalling software that has beeninstalled in the master VM, it is supposed that the user of anindividual VM has permission to carry out all sorts of operations.Methods for inhibiting the uninstallation of software include anuninstallation prohibited setting in the registry, safeguards inaccordance with user privileges for users of individual VM, and anuninstallation password setting, but other methods may also be used.

Further, the fact that the first virtual client VM1 is the master VM forall of the second through fourth virtual clients VM2 through VM4 isregistered in the individual VM/master VM correspondence managementtable 221 (FIGS. 2 and 4), which is held by the security managementserver 701 the same as in the first embodiment.

As mentioned above, in this embodiment, the VM shared configurationinformation 801 is a machine image having sufficient information tostart up the first virtual client VM1 using only this information, butin a case where the configuration is such that the first virtual clientVM1 has sufficient information to start up a virtual client by combiningthe VM shared configuration information 801 with the individual VMconfiguration information 802 for this first virtual client VM1, any ofthe individual VM, that is, any of the second through fourth virtualclients VM2 through VM4 is also defined as the master VM. Specifically,for example, the second virtual client VM2 is defined as a master VM andan individual VM, and the second virtual client VM2 is respectivelyregistered in the individual VM/master VM correspondence managementtable 221 as the master VM for the second through fourth virtual clientsVM2 through VM4.

(2-3) Processing Steps

Next, the check policy in this embodiment will be explained. FIG. 22shows an example of the configuration of a check policy management table705 held by the security management server 701 of this embodiment.

In a case where a master VM passes a security check, it is necessary toconfirm that a change in the master VM is also reflected in individualVM with respect to a check item for which a security check is notcarried out for individual VM (that is, for a check item having a checktarget of either “master” or “master or individual”). That is, theindividual VM OS must be rebooted in order for the master VM change tobe reflected in the running individual VM.

Accordingly, the check policy of this embodiment has a check item called“reflect master change” added to the contents of the check policy of thefirst embodiment. This check item is for checking whether or not achange in the master VM has been reflected in individual VM.Furthermore, the “check target” and “priority” of this check item arerespectively fixed at “individual” and “high”, and it is not possible tochange this “check target” and “priority”. Also, unlike the “checkperiod” of other check items, the “check period” for this check itemsignifies an “action period” rather than a period for executing asecurity check.

The processing steps of the security check program 213 of thisembodiment will be explained. The security check process of thisembodiment, as shown in FIG. 23, in which parts corresponding to FIG. 16have been assigned the same reference numerals, adds Steps SP400, SP401and SP402 after Steps SP312, SP314, and SP315, respectively, of thesecurity check process according to the first embodiment.

Further, in the security check process of this embodiment, a securitycheck related to the check item “reflect master change”, which has beenadded to the check policy as mentioned above, is implemented subsequentto executing the same processing as that of Steps SP327, SP329 or SP330corresponding to the security check of the first embodiment in StepsSP403, SP404 and SP405 after Steps SP326, SP328 and SP320, respectively.

First, the contents of the processing of the security check program 704(FIG. 21) of the security management server 701 in the added StepsSP400, SP401 and SP402 will be explained.

The security check program 704 of this embodiment, subsequent to theprocessing of Step SP312, compares the check result of the precedingsecurity check against the check result of the current security checkfor the check item implemented in Step SP312. Then, in a case where thecheck item for which the preceding security check failed but the currentsecurity check passed, the security check program 704 determines thatthe change in the master VM must be reflected, and acquires from the OS214 the current date/time as the date/time of the master VM change(SP400). The security check program 704 executes this same processing inStep SP401 for the check item implemented in Step SP314, and in StepSP402 for the check item implemented in Step SP315.

Next, the contents of the processing of the security check program 704in Steps SP403, SP404 and SP405 will be explained.

The security check program 704, in Step SP403, carries out a check onlyfor a check item having a priority of “high”, a check item having apriority of “medium” and a check item having an expired check periodwith respect to the processing-targeted individual VM, the same as inStep SP327 of FIG. 16.

However, executing a security check for the check item “reflect masterchange” is limited to a case where the result of this reflect master VMchange yes/no determination carried out in Step SP400, Step SP401 orStep SP402 is that the change to the master VM must be reflected.

This security check method, for example, references log information,such as an event log of check targeted individual VM or a syslog,acquires the date/time of the last reboot, and determines whether or nota reboot has been carried out on or after the date/time of the master VMchange, which was acquired in the above-mentioned Step SP400, Step SP401or Step SP402.

In a case where the check result shows that this security check failed,the security check program 704 compares the date/time of the master VMchange against the current time, and issues an alert if the specifiedperiod has expired.

Subsequent to the same processing as that of Steps SP329 and SP330 ofthe first embodiment being respectively carried out in Steps SP404 andSP405, the check process for the check item “reflect master change”described with respect to Step SP403 is executed.

The check period item of the check policy management table of thesecurity management method of this embodiment sets a setting value forinhibiting commencement of a forced check with respect to the master VMand individual VM prior to the expiration of this period as described inthe first embodiment, and, additionally sets a setting value forcommencing a prescribed process (the issuance of an alert hereinabove)for urging a reboot if the presence or absence of an OS reboot has beenrepeatedly checked and there has still not been a reboot even after theexpiration of the action period.

Furthermore, in this embodiment, an explanation was given of an examplein which the time at which the security check program 213 detected thechange in the master VM is regarded as the time of the master VM change,and a determination is made on the basis of this time as to whether ornot the individual VM were rebooted within the action period, but thedetermination as to the expiration of the period may also be determinedbased on the actual date/time at which the change occurred in the masterVM. For example, the security management server may acquire thedate/time of the change to the master VM from the hypervisor program 310of the physical client 702 on which the master VM is running, or the VMimage management program 800, or the VM management server, and comparethe date/time that adds the action period to this change date/timeagainst the current date/time.

(2-4) Effect of this Embodiment

According to the above-mentioned security management method of thisembodiment, it is possible to carry out the same security management asin the first embodiment even for a network system 700 employingvirtualization technology that does not reflect a change in an alreadyrunning virtual client when a change has been applied to the master VMconfiguration information, but rather, reflects this change when thevirtual client is rebooted.

(3) Third Embodiment

Next, a third embodiment will be explained. FIG. 24, in which partscorresponding to those of FIG. 1 have been assigned the same referencenumerals, shows a network system 900 according to the third embodiment.This network system 900 is configured the same as network system 1according to the first embodiment except that this system automaticallydetermines the check target set in the check policy based on systemenvironment information.

FIG. 25, in which parts corresponding to those of FIG. 2 have beenassigned the same reference numerals, shows a security management server901 of this embodiment. This security management server 901 isconfigured the same as the security management server 901 according tothe first embodiment except that a check target setting program 1000 isstored in the external storage device 205 in addition to the variousprograms and information described above with respect to FIG. 2, andthat a function for automatically determining the check target set inthe check policy based on system environment information is provided ina security management control program 1001.

The check target setting program 1000 is for examining an item thatenables customization of an individual VM based on system environmentinformation and an item that does not enable such customization, makesthe master VM the check target for an item that is not customizable forindividual VM, makes individual VM the check target for a customizableitem, and sets same in the check policy management table 220.

Methods for acquiring environment information for determining thepropriety of customization may include acquiring the environmentinformation from master VM registry information, or ascertainingprivileges of the user the privileges of the user using the individualVM, but in this embodiment, the pros and cons of customization aredetermined in accordance with querying a VM management server 902.

FIG. 26, in which parts corresponding to those of FIG. 8 have beenassigned the same reference numerals, shows the configuration of the VMmanagement server 902 of this embodiment. This VM management server 902is configured the same as the VM management server 103 according to thefirst embodiment except that a security management program 1002 isstored in the external storage device 405 in addition to the variousprograms and information described hereinabove using FIG. 8.

The security management program 1002 is for making it possible to setsecurity-related utilization restrictions for a virtual client createdby this VM management server 902, and for restoring the above-mentionedrestricted use information in accordance with an instruction from a userutilizing the instruction input device 403, and an instruction fromanother program by way of the network 105.

FIG. 27 shows a check policy setting window 1100 displayed by thesecurity management server 901 of this embodiment. The check policysetting window 1100 of this embodiment differs from the check policysetting window 500 according to the first embodiment in that it ispossible to specify “automatic” in addition to “master”, “individual”,“master or individual” and “master and individual” as the check target.In a case where “automatic” is specified as the check target, thesecurity management control program 1001 of the security managementserver 901 automatically determines on the basis of system environmentinformation whether or not customization of the individual VM ispossible for the check item thereof, and specifies a check target.

Next, the processing steps of the security management control program1001 related to the process for automatically determining the checktarget set in the check policy based on system environment informationas mentioned hereinabove will be explained.

FIG. 28, in which parts corresponding to those of FIG. 12 have beenassigned the same reference numerals, shows the processing steps of thesecurity management control process of this embodiment. The securitymanagement control process according to this embodiment differs from thesecurity management control process according to the first embodiment inthat the processing of Steps SP500 and SP501 is executed prior toexecuting the processing of Step SP102.

In this case, the security management control program 1001, uponproceeding to Step SP500, ascertains if “automatic” has been selected asthe check target of the check policy, and in a case where “automatic”has been selected, proceeds to Step SP501. In Step SP501, the securitymanagement control program 1001 automatically determines the checktarget in accordance with executing the check target setting program1000, and sets a value such as “master” or “individual” in the“automatic” portion set in the check policy.

FIG. 29 shows the processing steps of the check target setting processexecuted in accordance with the check target setting program 1000started up in Step SP501 of FIG. 28.

The check target setting program 1000 of this embodiment firstreferences the check policy and lists up an item having the check target“automatic” (SP600), and thereafter invokes the security managementprogram 1002, and acquires the restricted use information of the virtualclient (SP601).

Next, in Step SP602, the check target setting program 1000 repeats StepsSP603 through SP605 for the respective items having “automatic” as thecheck target listed in Step SP600 (SP602).

Specifically, the check target setting program 1000 references therestricted use information acquired in Step SP601, and determineswhether or not the processing-targeted check item is customizable(SP603).

Then, when an affirmative result is obtained in this determination, thecheck target setting program 1000 sets “individual” as the check targetof this check item (SP604), and when a negative result is obtained, sets“master” as the check target of this check item (SP605). For example, inthe case of the check target of the check item that inquires if apassword-controlled screensaver has been set, the check target settingprogram 1000 sets “individual” if the individual VM screensaver settingis not prohibited, and sets “master” if the individual VM screensaversetting is prohibited.

Then, the check target setting program 1000 ends the check targetsetting process shown in FIG. 29 when the processing of either StepSP604 or Step SP605 is complete.

In the above-mentioned network system 900 according to this embodiment,the check target set in the check policy is automatically determined andset based on system environment information, thereby making it possibleto achieve an effect that facilitates check policy setting work inaddition to the effect achieved in accordance with the first embodiment.

(4) Fourth Embodiment

Next, a fourth embodiment will be explained. In this embodiment, anexplanation will be given using an example in which the check target setin the check policy is automatically determined based on the systemenvironment information the same as in the third embodiment. In thethird embodiment, only one check target that is shared by all the masterVM may be set for one check item, but in this embodiment, it is possibleto specify check targets that differ by master VM for a single checkitem.

FIG. 30, in which parts corresponding to those of FIG. 24 have beenassigned the same reference numerals, shows a network system 1200according to the fourth embodiment. This network system 1200 isconfigured the same as the network system 900 according to the thirdembodiment except that the configuration of the security managementserver 1201 is different.

In this case, as shown in FIG. 31, in which parts corresponding to thoseof FIG. 26 have been assigned the same reference numerals, the securitymanagement server 1201 is configured the same as the security managementserver 901 according to the third embodiment except that theconfigurations of a security management control program 1300, a securitycheck program 1301 and a check target setting program 1302, which arestored in the external storage device 205, are different, and that acheck target management table 1303 is stored in this external storagedevice 205 in addition to the various programs and information describedabove using FIG. 2.

Furthermore, the example given below is one which references theregistry information of the master VM as an example of the environmentinformation for determining the propriety of customization. Further, theonly difference in the security check program 1301 of this embodiment isthat the check target information is acquired by referencing the checktarget management table 1303 for the item in which the check target ofthe check policy is set to “automatic”, and as such, an explanation ofthe processing steps will be omitted.

The check target management table 1303 is for managing the check targetof each check item respectively set for each master VM, and, as shown inFIG. 29, is configured from a machine ID column 1303A and a plurality ofID columns 1303B.

The machine IDs of the respective master VM, for which the check targetof the check policy is set to “automatic”, are stored in the machine IDcolumn 1303A. The ID columns 1303B are provided corresponding to therespective check items set in the check policy, and a check target(either “master” or “individual”), which has been set in relation to themaster VM for each corresponding check item, is stored in these IDcolumns 1303B.

FIG. 33 shows the processing steps of the check target setting processexecuted in accordance with the check target setting program 1302started up in Step SP501 of FIG. 28.

The check target setting program 1302 of this embodiment firstreferences the check policy, and lists up the items for which the checktarget is “automatic” (SP700).

Next, the check target setting program 1302 references the individualVM/master VM correspondence management table 221 and the clientmanagement table 223, and acquires the management information of all themaster VM (SP701).

Thereafter, the check target setting program 1302 repeats the processingof Steps SP703 through SP706 explained hereinbelow for all master VM(SP702).

Specifically, the check target setting program 1302 repeats theprocessing of Steps SP704 through SP706 for the respective items having“automatic” as the check target listed up in Step SP700 (Step SP703).

That is, the check target setting program 1302 references the registryinformation of the processing-targeted master VM, and determines if theprocessing-targeted item is customizable (SP704).

When an affirmative result is obtained in this determination, the checktarget setting program 1302 then sets “individual” in the column of thecheck item of this master VM in the check target management table 1303(SP705), and when a negative result is obtained, sets “master” in thecolumn of this check item (Step SP706).

The check target setting program 1302 then ends the check target settingprocess shown in FIG. 33 when the processing of either Step SP705 orStep SP706 has been completed.

According to the above-mentioned security management method of thisembodiment, in addition to the effect achieved in accordance with thethird embodiment, it is possible to carry out security management inmore detail in order to specify check targets that differ by master VMfor a single check item.

INDUSTRIAL APPLICABILITY

The present invention may be applied widely to security managementdevices of various configurations, which carry out security checks withrespect to virtual clients on a network.

1. A security management device for managing the security of a virtualmachine on a physical machine, the security management devicecomprising: a storage device storing resource information about thevirtual machine; and a Central Processing Unit (CPU) configured to: (A)determine whether the virtual machine is running or suspended; (B) ifthe virtual machine is suspended, determine whether it is possible tostart up the virtual machine or not, by comparing the resourceinformation and a free resource capacity of the physical machine; and(C) if it is possible to start up, start-up the virtual machine on thephysical server and execute a security check on the virtual machinestart-upped.
 2. A security management device according to claim 1,wherein as the execution of the security check on the virtual machine in(C), the CPU is configured to select an item to be checked based on thefree resource capacity of the physical machine.
 3. A security managementdevice according to claim 2, wherein the item to be checked is selectedfurther based on a priority of the item.
 4. A security management deviceaccording to claim 3, wherein the CPU is configured to: (D) if thevirtual machine is running, execute the security check about a highpriority item.
 5. A security management device according to claim 2,wherein the item to be checked is selected further based on a period ofthe item.
 6. A security management method for managing the security of avirtual machine on a physical machine, the method comprising a step of:(A) determining whether the virtual machine is running or suspended; (B)if the virtual machine is suspended, determining whether it is possibleto start up the virtual machine or not, by comparing resourceinformation about the virtual machine and a free resource capacity ofthe physical machine; and (C) if it is possible to start up, starting upthe virtual machine on the physical server and executing a securitycheck on the virtual machine start-upped.
 7. A security managementmethod according to claim 6, the execution of the security check on thevirtual machine in (C) includes a step of selecting an item to bechecked based on the free resource capacity of the physical machine. 8.A security management device according to claim 7, wherein the item tobe checked is selected further based on a priority of the item.
 9. Asecurity management device according to claim 8, the method furthercomprising a step of: (D) if the virtual machine is running, executingthe security check about a high priority item.
 10. A security managementdevice according to claim 7, wherein the item to be checked is selectedfurther based on a period of the item.
 11. A computer system comprising:a physical machine running a virtual machine; and a security managementdevice for managing the security of the virtual machine, configured to:(A) determine whether the virtual machine is running or suspended; (B)if the virtual machine is suspended, determine whether it is possible tostart up the virtual machine or not, by comparing resource informationabout the virtual machine and a free resource capacity of the physicalmachine; and (C) if it is possible to start up, start-up the virtualmachine on the physical server and execute a security check on thevirtual machine start-upped.
 12. A computer system according to claim11, wherein as the execution of the security check on the virtualmachine in (C), the CPU is configured to select an item to be checkedbased on the free resource capacity of the physical machine.
 13. Acomputer system according to claim 12, wherein the item to be checked isselected further based on a priority of the item.
 14. A computer systemaccording to claim 13, wherein the CPU is configured to: (D) if thevirtual machine is running, execute the security check about a highpriority item.
 15. A computer system according to claim 12, wherein theitem to be checked is selected further based on a period of the item.